Perspectives on Cyber Security by the CEO of Paramount Defenses
Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.
Showing posts with label The Paramount Brief. Show all posts
Showing posts with label The Paramount Brief. Show all posts
Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.
Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.
One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."
That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.
In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.
You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.
By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)
In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.
It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.
Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)
Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.
The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -
Password (case-sensitive): AreWeReallySecure?
If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise.
In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.
From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.
I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.
Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.
Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.
For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)
Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.
We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.
From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...
Making America Great(er and Safer) Again
In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.
I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.
If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.
For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.
That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.
Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.
(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.) Thank you, and Best Wishes
In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.
The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.
In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.
PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.
Today, as the very foundation of identity, security and access management at 90% of business and government organizations worldwide, Microsoft Active Directory is the very foundation of cyber security worldwide. Today, it helps protectTrillions.
To understand how this relates to all of us, perhaps it may help to internalize that at the very foundation of cyber security of virtually every organization that directly impacts billions of people worldwide, from our employers to our financial institutions, from the companies we invest in to our governments, from our educational institutions to our hospitals, from companies that build and sell all that the world needs to companies that provide the world's utilities (energy, transportation, security etc.) lies Microsoft Active Directory.
The security of Active Directory deployments worldwide is thus critical to global security and a matter of paramount defenses.
Unfortunately, the executive and IT leadership of most organizations do not seem to clearly understand this profound fact yet, so a few weeks ago we directly brought this fact to the attention of the executive leaders of the world's Top-100 companies. In weeks to follow, we learnt just how little organizations worldwide know about the top cyber security risks to Active Directory.
It appears that in part, at the root of global lack of gravitas on this most important subject, and the lack of adequate awareness, guidance and solutions on/for Active Directory security, may lie the lack of gravitas of one particular organization, so, starting tomorrow, July 27, 2016, and in days to follow, we will ask a few questions and share a few insights right here on this blog.
Best wishes,
Sanjay
PS: I'll ask a $100B question tomorrow. Technically, given the above, it could be a Trillion $ question, but we'll leave it at 100B.
When someone doesn't know or understand something, often their first reaction is to make fun of it. Sadly, these days, to their own detriment, they do so publicly on social media. Little do they realize that everything they utter can be seen by the whole world, and by sharing their ignorance on social media with the world, they show the whole world how little they actually know.
For example, consider this individual. Perhaps he knows just enough English to see our homepage, but not to be able to go beyond it, to say this one, or this one, so he publicly and slightingly wonders who we are and asks if anyone's heard of us. I wonder if it might have ever occurred to this individual that perhaps our low-profile until now, may have been by intent. For this individual, and anyone else on Twitter etc., if you want to know who we are, please call Scott Charneyat Microsoft.
Wow. Great advice! Since you make it sound so simple, now why don't you (i.e. this individual) also tell them (i.e. the world) HOW to do so i.e. how to tighten their delegation(s) in their Active Directory domains easily comprised of 1000s of objects?!
You see, this individual likely has no idea HOW to actually do so. If he did, he'd know just how extremely difficult it is to do so, and I doubt would've said - "no big deal!" In fact, I wonder if he even knows that because it is so difficult to do so, hardly any organization in the world (including his past employers, or Microsoft for that matter) may have ever actually accurately done it?
So let me give him, his friends, and the whole world a hint - the very first thing you need to do to tighten your delegation(s) is to assess your current delegations across Active Directory, and to do so you need to be able to determine effective privileged access across the entire Active Directory domain, i.e. on thousands of objects in Active Directory, accurately.
Even the $450 Billion Microsoft Corporation may not know how to do this. But for this individual, its "no big deal."
If he knew this, I'm not sure he might have publicly said - "no big deal!"
In fact, if he, or anyone in the world, can accurately determine effective permissions / effective access across an Active Directory domain, please go ahead, show us and the entire world how you would do so. Please. Be my guest. I insist!
Unequivocal Clarity
For anyone on Twitter who wishes to slight us without substance, let's just make this really simple for you once and for all.
Please know that if you slight us, and there's no substance to it, we too MAY share your ignorance with the WHOLE world.
By the way, if you haven't heard about us yet, its only because for the longest time, we kept a low-profile. Please know that in the last 10 years, 10,000+ organizations from 150+ countries have knocked at our doors, unsolicited, and know who we are. Today our reach is global, and in minutes, we too can have 1000s of folks across 150+ countries learn about you ignorance.
So, to the 1% who may do so, if there's no substance, please don't embarrass yourself by making childish comments. (It's a free world and you're welcome to, but know that the whole world's watching, and they'll know just how much (or little) you know.)
PS: It would be refreshing to actually see someone say something intelligent on the subject. Unfortunately, I've only heard noise. No matter how much, noise is just noise. My time is valuable so I'll tune back in when I've heard something intelligent. Perhaps its time to stop talking for a bit and start reading.
Earlier today, at Paramount Defenses we declassified The Paramount Brief.
All along, the password to the brief has been : AreWeReallySecure? (A question organizations need to ask themselves.)
To some the brief may appear to be a fairly simple document. Its simplicity is intentional, because it was primarily written for a non-technical audience i.e. C-Level Executives worldwide who lead the world's top business and government organizations.
It was written for C-Level executives because we found that in most organizations, not only is there a substantial lack of understanding regarding the importance of protecting their foundational Active Directory, but also there is no accountability chain, and almost no one at the top realizes the consequences that an Active Directory Security breach could have on business.
The risk described in the brief is in our opinion the world's #1 cyber security because it provides possibly the easiest possible avenue for professional perpetrators to start at a single initial easily compromisable organizational domain-joined machine or account and gain all-powerful privileged access (the "Keys to the Kingdom") in minutes, by just enacting a few simple tasks.
It is also imperative to understand that neither of 1) multi-factor authentication, 2) auditing, or 3) user-activity/network logging/profiling can prevent a proficient perpetrator from being successful. (Details available upon request.)
Today, I'll share just a few high-level technical details involved. The low-level technical details can be boring, so I'll save them for another day, or you can have your best IT folks try and explain them to you.
Active Directory - The Core of Privileged Access
Unless you live on another planet, you know that Active Directory is the core of privileged access in Microsoft Windows Server based IT infrastructures (and that's over 85% of the world) because all privileged power resides in Active Directory.
In fact, Active Directory is not just the core of privileged access, it is the very foundation of cyber security worldwide, because the IT infrastructures of most business and government organizations are powered by Microsoft Active Directory, and in these IT infrastructures, the entirety of the organization's user accounts, computer accounts and security groups are stored, protected and managed in the organization's Active Directory.
By the way, Active Directory is not only foundational to Microsoft's native authentication protocol in Windows, Kerberos (without which no one can logon to engage in any secure network activity in a Microsoft Windows Server based network), it is also foundational to Microsoft's entire cloud computing platform, Microsoft Azure.
An Ocean of Active Directory Permissions
Within Active Directory, each of these foundational building blocks of cyber security, i.e. domain user and computer accounts, security groups, etc. are all stored as Active Directory objects, and are each protected by an access control list (ACL) that specifies security permissions (e.g. Create Child, Reset Password etc.) granted (allowed/denied) to a security principal (user, group, well-known SID etc.) on the object.
In most Active Directory deployment, there exist thousands of objects (accounts, groups, OUs etc.), each one of which needs to be securely managed. Since it is not feasible for a small number of individuals to manage such a large number of accounts and groups, Active Directory provides a valuable capability called delegation of administration which enables organizations to delegate various aspects of identity and access management amongst their IT teams based on the principle of least privilege.
This administrative delegation capability leverages Active Directory's security model, and in essence, for each administrative delegation made in Active Directory, corresponding security permissions are specified in the ACLs of all objects that fall in the scope of the administrative delegation, for the security principals (users, groups etc.) to whom the tasks are being delegated.
In addition, IT personnel also often specify access directly/manually in the ACLs of Active Directory objects to directly delegate administrative tasks or provision access to fulfill specific business requirements.
Consequently, today, in thousands of organizations worldwide, it is these very Active Directory security permissions that protect all privileged user accounts and group memberships, and in fact all Active Directory content, and that ultimately control/govern who has what privileged access across the network.
In fact, in most Active Directory deployments, since IT personnel have been delegating administration and provisioning access in the Active Directory for years now, there exist hundreds of thousands, if not millions of Active Directory security permissions that are collectively protecting the organization's foundational building blocks of cyber security.
In essence, underlying the foundational cyber security of most organizations worldwide, is an ocean of Active Directory security permissions collectively protecting the very building blocks of cyber security in their Active Directory.
How Secure are our Building Blocks of Security in Active Directory?
If the very foundational building blocks of cyber security that help an organization facilitate secure access to the entirety of their IT assets, it is worth asking the question as to how secure are these very building blocks themselves within the Active Directory.
For instance, since all of the most powerful administrative security groups in a Microsoft Windows Server IT infrastructure (e.g. Enterprise Admins, Domain Admins, Builtin Admins, etc.) are stored in Active Directory, its worth asking the question -Exactly how many individuals today have sufficient access to be able to change/control/manage the membership of these groups?
After all, if an unauthorized individual could control the membership of any one of these powerful privileged access groups, he could instantly elevate himself or anyone of his choice to be an all-powerful admin and obtain the "Keys to the Kingdom".
Similarly, for each privileged access user that is a member of these powerful privileged groups, its worth asking the question - Exactly how many individuals can reset the password of the domain user account of these privileged access users?
After all, if a single unauthorized individual could reset the password of even one of these privileged accounts, he/she could instantly become a privileged user and obtain the "Keys to the Kingdom". Similarly, if Smart cards are in use, its absolutely worth knowing, at all times, exactly how many individuals can disable the use of Smart Cards on Active Directory accounts?
In fact, the same questions must be asked for all Executive accounts, such as that of the CEO, CIO, CISO, CFO etc. Actually they hold true for all accounts, such as that of a Software Engineer that might have access to the source-code of an operating system at a major software company, or a financial analyst who might have access to confidential financial data, so ideally organizations must know exactly who can reset the password of / disable the Smart Card of every employee in the organization.
By the same token, isn't it worth asking the question as to exactly how many people can change the membership of any domain security group that is being used to control access to a small or large set of IT resources across the network? After all, the easiest way to gain access to a large number of IT resources across the network is simply to add your account to a security group that already has access to these IT resources. That way, you don't even have to try to compromise a server; you'll automatically be granted access to all IT assets across the network to which that group is granted access!
In summary, organizations have a mission-critical need to know, at all times, exactly who can control the very foundational building blocks of their cyber security, because without this knowledge, they are operating in the (dangerous) proverbial dark.
100%
In case you're wondering how relevant this might be to cyber security today, allow me to share a simple fact with you - 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of a single Active Directory privileged access user account.
As evidenced by these breaches, today Active Directory privileged user accounts are the #1 target for malicious perpetrators.
Thus far, perpetrators have been using difficult ways to compromise Active Directory accounts. I'm referring to passing hashes, reusing tickets etc. Unfortunately, there are far easier was to compromise Active Directory privileged user accounts today.
For instance, all you need to do is to find out who can reset a privileged user's password, iterate that process a few times, and find a single vulnerable starting point, which once compromised, will allow you to escalate your privilege to that privileged user within seconds, without having to go through such archaic and painful ways (i.e. pass-the-hash etc.)
For that matter, simply determine who controls the membership of a privileged user group, then find out who can reset their password, and iterate the process a couple of times, and you'll likely find that some local IT admin whose account or computer is insufficiently protected is in that chain. That's your starting point. Once you've got his account, the rest takes a few seconds.
The astute mind will get the drift.
But we use Smart Cards!
Organizations that have Smart Cards or other multi-factor authentication measures in place may be operating under a false sense of security by assuming that since they have multi-factor authentication in place, they're immune from password reset based attack vectors. (Besides there's much more to this than mere password resets.)
For such organizations, it might help to know that the weakest link in the use of smart cards (or other multi-factor authentication measures) is that anyone who has administrative control over the smart-card protected account can with a single mouse-click uncheck the Smart card is required for interactive logon setting on the account.
As soon as that happens, authentication on the account will fallback to being password based, and one can set any password of choice on the account and login with it. So at the very least, its worth knowing at all times -Exactly how many individuals have modify permissions or write-property to the relevant attribute on smart-card enabled accounts?
The astute mind will note that in addition to the above, you'll also want to know exactly who has Modify Permissions permissions on a Smart Card enabled account, because anyone who has that permission, can grant him/herself any permission on the account, including the permission required to uncheck the uncheck the Smart card is required for interactive logon setting.
Cyber Security 101
Folks, this is Cyber Security 101. After all, if cyber security is fundamentally about ensuring that all to an organization's digital assets is authenticated and authorized based on the principle of least-privilege, how can an organization accomplish that without knowing exactly who effectively has what access on the very foundational building blocks of cyber security that enable them to provision and maintain least-privileged access across your IT infrastructure?
Today, at the very least, today, all organizations must have answers to the following basic questions -
How many individuals possess unrestricted privileged access in Active Directory?
How many individuals possess restricted (delegated) privileged access in Active Directory?
Exactly who can manage the accounts of these unrestricted and restricted privileged access users?
Exactly who can reset the passwords of these unrestricted and restricted privileged access users?
Exactly who can change the membership of our privileged security groups in Active Directory?
Exactly who can control security permissions on privileged accounts, groups and OUs in Active Directory?
(The astute mind will observe that one should at the very least also know exactly who can modify the Trusted for Unconstrained Delegation bit on domain computer accounts, because if you can do that, then ... (... I'll let you complete the sentence.))
After all, if we don't even know who possesses and controls privileged access in our foundational Active Directory environments, i.e. who possesses and controls the Keys to the Kingdom, what's the point of deploying a plethora of cyber security measures.
Ideally, at a minimum, the same questions should be answered for all executive accounts (CEO, CFO, CIO, CISO, Board Members, VPs etc.) and groups, as well as all high-value accounts, groups and IT assets stored in the Active Directory.
Speaking of which, shouldn't organizations know exactly who can create user accounts and security groups in their Active Directory, or for that matter, join machines to the domain, and of course who can delete domain user and computer accounts, security groups and OUs?
(The astute mind will observe that in fact there is a lot more that all organizations must know about at all times, such as, for instance, something as simple as who can change the logon hours of domain user accounts, because if just ONE perpetrator (e.g. a disgruntled insider) who had sufficient effective access to be able to do so, were to write a simple script to change the logon hours of all domain user accounts, you could easily have a situation wherein come Monday morning at 9:00 am no one would be able to logon, and if course if no one can logon, business comes to a proverbial halt!) So, how do we answer these fundamental yet important cyber-security questions?
As mentioned above, today, in most organizations worldwide, the entirety of an organization's foundational cyber security building blocks are being collectively protected by hundreds of thousands (and in most cases, millions) of Active Directory security permissions specified in Active Directory ACLs.
How is an organization to determine exactly who has what level of privileged access across these hundreds of thousands (or millions) of security permissions spanning thousands of their Active Directory objects?
Those who know very little about Active Directory Security will tell you that's easy. They'll suggest doing a simple ACL dump and then looking at what permissions are granted to which users/groups. In fact, I wouldn't be surprised if most IT personnel at most organizations will suggest this route. (One could of course follow that suggestion, but then one would end up with substantially inaccurate data, reliance upon which could be very dangerous, to say the least.)
You see, unfortunately, its not that easy. In fact, its difficult, very difficult.
Here's why...
Active Directory Effective Permissions/Access
For the sake of simplicity, consider the security permissions specified in the ACL of a single Active Directory object.
Each of these Active Directory security permissions allows or denies some user or group some access. However, they do not individually influence access because as you may know, permissions can be allowed or denied, and be explicit or inherited, so in fact it is the complete set of all security permissions specified in the ACL of an Active Directory object, considered as a whole, in light of the governing precedence orders (e.g. explicitly specified permissions override inherited permissions but not always, denies override allows but not always, etc.) that ultimately determine the true and actually i.e. effective permissions/access granted on the object.
In other words, it is the effective permissions on an Active Directory object that matter and that govern who really has what access on an Active Directory object. This one fundamental fact of Active Directory security potentially impacts global security today, yet very few folks understand it.
Any individual or organizations that is relying on a simple enumeration/analysis of who has what permissions, as opposed to who has what effective permissions, is doing it completely wrong, and operating on dangerously inaccurate data.
In fact, Effective Permissions are so important that Microsoft's native tooling has an entire tab dedicated to them -
Unfortunately, Microsoft's Effective Permissions Tab has three major deficiencies which almost render it practically useless.
The first is that it may not always take all factors involved in the accurate determination of effective permissions into account.
(I'm not about to publicly mention the inaccuracies of the native Effective Permissions calculator in Active Directory, because the last time I mentioned one publicly, Microsoft picked up on it, and fixed it. (That one had to do with determining and displaying who can modify back-links in Active Directory. Strictly speaking, no one can modify back-links, because they are constructed / read-only. However, prior to my having mentioned that publicly, the Effective Permissions Tab/calculator would happily (and errantly) display a list of individuals who could modify back-links.))
The second and major one is that (as seen in the picture above) it can at best compute an approximation of the effective permissions for a specific user that you have to specify. The astute mind will note that this very quickly renders it almost unusable, because if you had 10,000 domain user accounts in your Active Directory, you would have to enter the identity of each one of these 10,000 users, ONE by ONE, and then make a note of their effective permissions to ultimately and hopefully arrive at the list of all individuals that may have a specific effective permission granted on a given Active Directory object.
I don't know about you, but if my manager asked me to sit in front of a computer, and enter 10,000 names one after the other, then make a note of all the effective permissions granted to each user, (you know, a process that could take weeks), I would probably find more suitable employment elsewhere.
The third one and the biggest one is that the Microsoft's native Effective Permissions Tab can at best determine effective permissions for a single user on a single object. In other words, if an organization had thousands of objects in its Active Directory, organizational IT personnel would have to use the tab one object at a time, specifying one user at a time, and that process could take years to do, not to mention that since the state of access in Active Directory is constantly changing, in all likelihood, any such attempts to make such determinations would be futile to begin with.
For instance, consider this - let's say you wanted to answer the simple, fundamental question - Who can create user accounts in our Active Directory?
That seems like a question most organizations should want to know the answer to, because if someone could create a user account, they could engage in malicious activities that could not be linked to them.
It turns out that to answer this one single question, the organization would have to determine effective permissions on every object in Active Directory under which someone could create a user account e.g. Organizational Units, Container etc.
We recently had a very prominent government organization come to us with this exact need. For reasons known best to them, they had 20,000 organizational units in their Active Directory domain, so to answer that one simple fundamental question, they would have to determine effective permissions on at least 20,000 OUs in their Active Directory!
There are very few people in the world who know how to accurately determine effective permissions in Active Directory. Even if they could, and it took them 30 minutes to do so per object, it would take them 600,000 minutes to determine effective permissions across 20,000 objects, and that's assuming no one changed a single permission during that time.
I think you'll get the drift.
(Incidentally, with our innovative cyber security tooling that embodies our unique, patented and globally recognized effective access assessment technology, this organizations was able to make this determination within minutes, at a button's touch.)
You see, in order to answer these elemental and fundamental cyber security questions concerning who has what privileged access in Active Directory, organizations require the ability to accurately and efficiently determine effective access across an entire tree of Active Directory objects. (Simply put, the ability to efficiently perform an accurate effective privileged access audit.)
Unfortunately, Active Directory completely lacks this elemental and fundamental capability, and as a result, organizations have no way of knowing exactly who effectively has what privileged access on their foundational building blocks of cyber security. (They never have!)
In fact, because they have never had this capability, considering that most Active Directory deployments have been around for years, and that a substantial amount of access provisioning and delegation has been done over the years, we have a situation wherein an excessive and unknown number of users have all kinds of effective privileged access in the Active Directory, yet no one knows exactly who has what effective privileged access.
Beware of Inaccurate Tooling
I'll digress for a minute to share something important with you. As goes the old saying, the only thing more dangerous than no knowledge is inaccurate knowledge. In all of ten years that we've been around, not a single organization has attempted to address the problem, perhaps because they're mature enough to understand just how difficult it is to solve this problem.
However recently, one company had a brilliant(ly dumb) marketing idea for their auditing solution, so amidst some fanfare, it released freeware tooling that claims to make some of this easy. Having written the book on the subject, we tested this tooling, and were shocked to find that it is not only woefully inadequate, it is so substantially inaccurate, that its almost dangerous.
Interestingly, this company seems to have no clue as to just how substantially inaccurate their tooling is. Sadly, neither do most IT pros, who may happily proceed to rely on it, in effect endangering the very foundational security for their organizations.
To metaphorically give you an idea of just how inaccurate it is, if it were being used as a metal/weapon detector at an airport, let alone boarding the flight, we would not just run out of the terminal, we would get out of the airport as fast as we could!
In our opinion, the only folks who could possibly benefit from such substantially inaccurate freeware tooling are malicious perpetrators, because even if its only 20% accurate, that's sufficient for them to identify a few privilege escalation paths.
Organizations Worldwide are likely at High Risk
In the foundational Active Directory deployments of most organizations today, today there likely exist 1000s of arcane privilege escalation paths in most Active Directory deployments worldwide, leading from regular domain/computer accounts to highly privileged user accounts and security groups, that are difficult hard to identify with the naked eye.
However, with sufficient tooling, in the wrong hands, they could be very quickly identified and potentially exploited by malicious perpetrators to inflict substantial damage within minutes.
Sadly, a malicious perpetrator need only compromise a single domain user/computer account to deploy and use such tooling to identify these privilege escalation paths. The entire discovery process would be read-only and given the sheer amount of read access that takes place in Active Directory deployments, it would in all likelihood not show up on any radar.
Once the perpetrator has identified a kill-chain, he/she could make a move at an opportune time (e.g. Saturday morning 3:00 am) and in less than 5 minutes, simply by using basic Active Directory management tools provided by Microsoft, escalate his/her privilege to that of an all-powerful privileged access user.
Once that's done, its game over.
[Fortunately, with similar tooling, designed for and only made available to the good guys (i.e. organizational IT personnel), organizations could quickly and accurately determine effective privileged access in their Active Directory, as well as their source, and eliminate all excessive access before it can be exploited by malicious perpetrators.]
The Attack Surface
The attack surface is unfortunately vast - it is the entire Active Directory.
The attack surface is vast because virtually every domain user account, computer account, security group and other vital content stored in Active Directory is a potential target of compromise.
Active Directory Effective Privileged Access Audit
As a mature and professional cyber security company, we do not shed light on cyber security risks that cannot be mitigated, because we understand that doing so can potentially endanger organizations.
Folks, this profoundly elemental, high-impact cyber security risk is actually virtually 100% mitigatable, and in fact any organization that wishes to mitigate it can do so in a very short amount of time.
To mitigate this risk, what organizations worldwide require is the ability to accuratelyand efficiently determine effective privileged access across entire Active Directory trees (OUs, domains etc.) so that they can quickly and reliably identify all individuals who currently possess, but are not entitled/authorized to possessing, effective privileged access in their foundational Active Directory, as well as identify the source of all such identified excessive access, so that they can then quickly revoke all such excessive access before malicious perpetrators are able to identify and potentially exploit them.
Subsequently, having attained least-privileged access state in their Active Directory, they can and must continue to maintain this least-privileged access state in their foundational Active Directory at all times, because it only takes the compromise of one privileged access user account to cause substantial damage.
My 10 minutes are almost up, so I will conclude this by adding that although this is a high-impact esoteric cyber security risk that potentially threatens the foundational cyber security of most organizations worldwide today, it is virtually 100% mitigatable, and all it really takes for an organization to mitigate this risk is to have the will to mitigate it.
Finally, as you will hopefully agree, there can be no security without accountability, and accountability must start at the very top, because should there be a cyber security incident, ultimately, it the organization's leadership that will be held accountable by its stakeholders, which is why the Paramount Brief was written for executives.
Over the last decade, IT administrators and IT professionals from 8,000+ organizations across 150+ countries worldwide have knocked at our door (completely unsolicited), and we found that most of these organizations had one thing in common - the troops in the trenches know about the problem, but middle and senior management seem clueless, as a result of which, the troops are powerless, and afraid to escalate the problem, and as a result, we have a dangerous situation wherein most organizations worldwide are still defenseless and in the proverbial dark.
It is high-time the Generals (CEOs) and their Colonels (CIOs, CISOs, IT Directors etc.) understood that their troops need their help, and that should an adversary be successful in taking them down, entire Kingdoms could be lost very, very quickly.
(Any organization in the world that would like to see a demo of just how easy this is to do may feel free to request one.)
The CEOs of the world's Top-200 business organizations have also been directly informed about this cyber security risk.
Best wishes,
Sanjay
PS1: Note to the folks at Microsoft - If you need help understanding this stuff, let me know.
In the security interest of thousands of organizations that operate on Microsoft Active Directory worldwide, as well that of their stakeholders (shareholders, customers, employees, partners, etc.) on January 04, 2016 February 29, 2016* we will declassify The Paramount Brief.
The Paramount Brief documents a serious and potentially imminent cyber security risk to most organizations worldwide, one that could potentially be exploited by any insider, and within minutes, potentially result in a massive cyber security breach.
I will elaborate just a bit -
It is very serious because it could potentially grant the perpetrator complete, unrestricted, system-wide access within minutes, irrespective of whether or not security controls like 2-factor authentication, auditing etc. are in place.
It is potentially IMMINENT because i) the attack surface is vast, ii) literally anyone in the organization could enact the threat , and iii) the tooling required to identify the weaknesses and easily enact the threat is freely available today.
Literally any insider, i.e. anyone who has an Active Directory domain user account, or is in possession of a domain-joined computer, already has sufficient access to be able to identify the weaknesses and potentially exploit them.
Professional Courtesy
As a professional courtesy, last week, we shared a copy of the Paramount Brief with the top executives of some of the world's top business organizations across 6 continents worldwide. As cyber security professionals, we also asked them not to take our word for it, but to have the brief substantiated within their own IT environments and arrive at their own conclusions.
Most of these organizations have taken it seriously (and rightly so) and are in the midst of having this substantiated within their own environments. Many of them have their best people working on it, and have also requested a dialogue to gain more clarity.
(I've received Thank you notes from the CEOs of many of the world's top companies, including that of Fortune 10 companies.)
Substantiation
Organizations that have received an advanced copy of the Paramount Brief should have it internally substantiated and arrive at their own conclusions as to its applicability to them. Please do not take our word for it, but do get it objectively substantiated.
In most organizations, the substantiation part will be passed down from the CEO's office to the CIO's office to the CISO's office, and possibly down to a Director's level, who may eventually end up asking an Active Directory Admin to substantiate its validity.
5 Helpful Pointers -
Since so many Active Directory admins today do not understand the subtle yet profound difference between "Who has what permissions" and "Who has what Effective Permissions", here are a few pointers to help them objectively substantiate the risk -
Why auditing is insufficient (read #12, "The $ Billion Difference between Audit and Auditing" section here)
Why 2-factor authentication is insufficient (read #10, the "A Caveat when using Two-Factor Authentication for Active Directory Accounts" section of this blog post on the OPM Breach.)
5 Simple Questions -
To make it really easy for them, they may want to consider whether the answer to even 1 of the 5 questions below is NO -
Do we know exactly how many privileged (unrestricted and delegated) user accounts there exist in our Active Directory?
Do we know exactly how many individuals can reset the passwords of all of our accounts?
Do we know exactly how many individuals can change the membership of all of our security groups?
Do we know exactly how many individuals can set the "Trusted for Unconstrained Delegation" bit on computer accounts?
Do we know exactly how many individuals can create, delete and manage user accounts, security groups, Organizational Units (OUs) and computer accounts in our Active Directory, as well as modify critical Active Directory configuration settings (e.g. make a Schema change, make a Replication change, transfer a FSMO role, promo a DC etc. ) ?
If the answer to even 1 of these questions is NO, you will have substantiated the applicability of the brief to your organization.
Since 100% of all major recent cyber security breaches involved the compromise of just 1 Active Directory privileged user account, exactness is paramount and approximations could likely mean the difference between security and compromise.
Sole Objective
Please know that our sole objective in having shared this brief with some organizations, and in declassifying it weeks from now, is to educate organizations worldwide about an esoteric attack vector that today provides perpetrators a vast attack surface and an extremely easy route to potentially very quickly and easily gain unrestricted administrative access within their environments.
I must reiterate that it is imperative that it be unequivocally understood that we are not declassifying this with the intention of furthering business.
(If we have so many customers today, it is only because over the last 7 years, over 7000 organizations from over 150 countries have knocked at our doors, completely unsolicited, to seek our help in addressing a very important cyber security challenge.)
In fact, for any organization that wishes to determine exactly how many individuals have what level of privileged access in their foundational Active Directory deployments today, we will be glad to make our solutions available for them at no cost to them.
Also A Matter of Corporate Governance
This is also almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.
If we reached out to the executive leadership of certain organizations, it is only because when the potential of damage from even a single cyber security breach associated with this attack vector is so high that it could impact the entire organization (and in all likelihood, many of its stakeholders), it is imperative that the organization's leadership have first-hand knowledge about it.
Our cyber security intelligence indicates that in most organizations worldwide, this esoteric yet important matter is not even on the radar of their organization's IT and cyber security leadership, let alone being on the radar their executive leadership.
Today, in the event of a cyber security breach, it is the executive leadership that will be held accountable by the organization's stakeholders (shareholders, customers, employees etc.) and thus we felt that this must be brought to their direct attention.
Today, there must be a clear chain of accountability from the very top to the very bottom (e.g.: CEO > CIO > CISO > Director, Directory Services /Identity and Access Management > Enterprise Admins) because without it, security is almost impossible.
This is thus almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.
Microsoft was Informed
Please know that as early as 2008, the Paramount Brief was delivered to several senior/important individuals at Microsoft.
It appears that, for whatever reason, Microsoft chose not to act upon it.
Since thousands of organizations continue to be at risk, and continue to be oblivious to this highly potent attack vector, in light of the fact that 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account, we felt that we had no choice but to publicly declassify this.
By the way, this is not even rocket science; it is common sense. But I suppose, as they say, common sense is not so common.
By now, you must have heard about the Sony Hack. Thought I'd share a few thoughts (possibly worth a US $ Trillion) on it.
The Sony Hack has to be possibly the worst cyber security attack the world has witnessed thus far. I say thus far, because if you understand Active Directory Security, you know, that with just a little bit of effort, one can easily automate the destruction of virtually any (number of) organization(s) in the world. (To the FireEyes, TripWires, Mandiants, Kasperkys and Symantecs of the world - if you need a primer/demo, let us know.)
Essence
A few weeks ago malicious perpetrators completed compromised Sony's IT infrastructure and stole vast amounts of Sony's confidential information. They then threatened Sony to engage in a specific action, and when Sony refused, they made good on their threat by releasing part of this information in the public domain. The release of such confidential information into the public domain caused Sony significant tangible and intangible damage, the true cost of which won't be known for years.
Remarkably Easy
Based on what is known thus far, and based on what U.S officials have shared, in all likelihood, what happened here is that malicious perpetrators gained administrative access within Sony's network, and used it to obtain access to (and make a copy of) whatever they wished to obtain access to within Sony's internal network i.e. files, databases, emails, etc.
As described below, such an attack is remarkably easy to carry out. In fact, with just a little effort, today it can be carried out in the IT infrastructures of 85% of all organizations worldwide. (Should you need a demo, we'll be happy to arrange one for you.)
A word on Motive
The Sony Hack was so remarkably simple to carry out that when you think about it, you'd wonder why the hackers that carried out the attacks at Target, Home Depot, EBay, etc. did not inflict as much damage as the hackers who carried out the Sony Hack. I believe that the answer lies in one word - Motive.
In all likelihood, the motive of the hackers of the previous attacks was simply to obtain (steal) information for financial gain. In Sony's case, the motive seems to have been to proverbially take Sony hostage and force it to act in a specific manner (i.e. have them pull a movie.) It seems that certain demands may have initially been put forth and when Sony's executives didn't comply, the perpetrators started releasing the stolen information to demonstrate that threats were real. It is the release of this information in the public domain that caused substantial damage to Sony. In other words, the perpetrators succeeded in holding a $20+B company hostage and during the process inflicted colossal damage to the company.
As damaging as it was, this was a remarkably simple hack.
So, what makes this a remarkably simple and easily enactable hack to carry out?
Well, the answer is simple. It was very easy to carry out, as described below.
The Sony Hack is the perfect example of what is described in "The Paramount Brief."
In the best interest of organizations worldwide (so as not to tip the bad guys off), we have not declassified it yet. There are some (at the highest offices in Microsoft and elsewhere) who have read it and who will tell you that we predicted the occurrence of such an attack over 5 years ago.
In light of what happened, we are inclined to declassify this brief in early 2015. Stay tuned.
What Really Seems to have Happened at Sony
What happened at Sony was remarkably simple. Like over 85% of the world's organizations, the IT infrastructure of Sony too is powered by Microsoft Windows Server platform, and at the very foundation of their cyber security was their Active Directory deployment.
You can think of Active Directory as the heart of an organization's IT infrastructure. Not only does Active Directory store and protect all of the organization's administrative accounts and their passwords, it stores and protects the user accounts of all the employees and contractors, as well as the computer accounts of all the computers that make up the IT infrastructure as well as all the security groups that are used to protect the entirety of all the IT resources in the IT infrastructure. And more.
In order to help organizations establish and manage their IT infrastructure, there exist a few default administrative groups in Active Directory. These administrative groups have unrestricted access to Active Directory and to virtually every machine (laptop, desktop, server) that is joined to the Active Directory and is thus a part of the organization's IT infrastructure. Examples of such administrative groups include the Enterprise Admins group, the Domain Admins group etc.
Every individual that is a member of one of these default administrative groups has virtually unrestricted access across the entire IT infrastructure. He/she can obtain and control access to virtually every IT resource in the organization's IT infrastructure, whether it be a file, a folder, a Share point, a server, a database, a line-of-business app etc. ... everything.
In other words, anyone with administrative access in Active Directory proverbially has God-like powers, and practically speaking, he/she any day is about 100,000 times more powerful than the organization's CEO.
Should a SINGLE account that has administrative access in Active Directory be compromised, theoretically every IT resource in the organization could be at risk of compromise, and in the worst case scenario, the entirety of the organization's IT resources could be compromised.
In other words, proverbially speaking, he/she who is able to obtain Active Directory administrative access will have the "keys to the kingdom" i.e. once you have Active Directory administrative access, you can obtain access to, copy, tamper, divulge and destroy virtually any IT resource in the IT infrastructure.
THAT is EXACTLY what seemed to have happened at Sony.
Quoting U.S. officials that were briefed on the investigation - "U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, allowing them broad access."
In a Microsoft Windows Server based IT infrastructure, a system administrator is layman's speak for an Active Directory administrator, because in a Microsoft Windows Server based IT infrastructure, Active Directory is the heart of the "system".
The same U.S. officials also said that "The hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have "keys to the entire building,"."
In all likelihood, someone compromised the account of an Active Directory administrator and once that was done, the rest was just a matter of time... taking one's sweet time to obtain read access to and copy vast parts of organization's IT resources.
It was really as simple as that.
Not Surprising at All
In light of the fact that someone with Active Directory administrative access has God-like powers, you might find yourself asking two questions -
Shouldn't organizations minimize the number of such highly privileged administrative accounts?
Shouldn't organizations offer the highest protection for these highly privileged administrative accounts?
The obvious answer to both the questions is YES.
Sadly, in reality, based on what we have seen thus far, in most organizations, not only are there an unacceptably and unbelievably large number of these highly privilege administrative accounts, but these accounts also continue to remain substantially vulnerable to compromise. In fact, in most organizations, the IT groups have no idea as to exactly who has what administrative access provisioned in their Active Directory deployments.
By the way, by what we have seen thus far, I'm referring to over 7,000 organizations from across 150 countries that have knocked at our doors thus far, and many of these organizations are some of the world's most prominent and powerful business and government organizations.
So, it is not surprising at all to us that someone was able to pull off this attack at Sony.
It helps to keep in mind that once a malicious perpetrator has Active Directory administrative access, and their primary intent is to obtain access to and copy information (files, folders, databases, mail etc.), all they're really doing is engaging in "read access" to vast amounts of information, and "read" access is almost never audited, so it would be very difficult to catch someone who has Active Directory administrative access in the act of engaging in rampant information theft.
How to Enact the Sony Hack in 4 Steps
At its core, a perpetrator seems to have obtained administrative access and used it to obtain access to (and copy) large amounts of confidential information, all done in 4 simple steps -
Step 1 - Become an Authenticated User - This step involves obtaining the credentials of any ONE of the thousands of Active Directory accounts that exist for Sony's employees, vendors and contractors. With just a little creativity (social engineering), this is fairly easy to do from the outside. It is easier still if you can officially get an account by virtue of say being a temporary contractor to Sony, not just in the U.S. but say in another country that Sony does business in/has operations in.
Step 2 - Identify Administrative Accounts - Once you're an Authenticated User, you now have READ access to vast amounts of information, including valuable information, such as the list of all administrative accounts in the organization i.e. the list of the accounts of all individuals who have administrative access in the organization's Active Directory. For instance, the list of all Enterprise Admins and Domain Admins. By the way, this is as easy as issuing the following LDAP query: (&(objectClass=user)(objectCategory=person)(admincount=1))
Step 3 - Escalate Privilege to Administrator Level - This is the defining step in which you escalate your privilege from that of a regular non-administrative account holder to that of an administrative account i.e. one of the many administrative accounts you identified in Step 2. This is the most difficult step in the entire attack-vector. However, what is "difficult" for some, is "easy"for others, and depending on your expertise and tool-set, this can take days or minutes. (With the right tooling it only takes a few minutes.) Most amateurs use the PtH attack vector to enact this step. Unfortunately for them, as organizations establish and enforce stricter admin account use policies, this attack vector is becoming harder to use. The second vector, called Active Directory Privilege Escalation, which these amateurs don't know much about yet, still remains the easiest way to enact this step.)
Step 4 - Own The Building/Kingdom - Once you've obtained Enterprise/Domain Admin credentials, you're proverbially God within the network, because you can now obtain access to, copy, tamper, destroy and divulge virtually any IT resource that is stored on a computer that is joined to the Active Directory domain and/or protected by an Active Directory security group, (and that by the way is virtually the entire IT infrastructure.) Once you've obtained Enterprise/Domain Admin credentials, you can take your sweet time (weeks, even months) accessing and copying large amounts of information from virtually any server (file server, mail server etc.), database, laptop etc. and because all of it is read access, it is hardly every audited, so you're going to go unnoticed for a very long time.
(Strictly speaking, each time you obtain a Kerberos ticket to a separate machine, an event is logged in the audit log, but based on our experience in dealing with the 1000s of organizations that have knocked at our doors seeking assistance, less than 1% of
organizations even know how many administrative personnel they really have, let
alone paying attention to audit entries related to Domain Admin network logons
on to various machines. Besides, for the most part, its not your identity that
shows up in the audit log, but that of the account of the Enterprise/Domain
Admin you compromised, and he/she could very well have a legitimate need for
all these logins, making these audit log entries seem unsuspicious.)
Once you've taken your sweet time (days, weeks or months, your choice) to obtain access to virtually whatever you wanted (documents, emails, confidential data), you simply walk out, and once you're out, you're now in possession of a treasure trove of data. What you do with it, is driven by your motive.
In Sony's case, the attackers used it to coerce Sony into not releasing a movie. (It appears that in order to prove to Sony that their threats were credible, they released vast amounts of stolen information into the public domain, causing substantial tangible and intangible harm to Sony for years to come.)
It's (really) that simple.
Step 3 Above - Privilege Escalation
As you'll hopefully agree, steps 1, 2 and 4 above are pretty darn easy to enact, for anyone who knows the littlest thing about cyber security. It is step 3 that empowers a non-administrative individual to escalate his/her privilege to that of an all-powerful administrative account, that is the defining step here.
In fact, in most of the famous cyber security breaches thus far, privilege escalation has been the defining step that gave the perpetrators powerful administrative access, which could then be misused to fulfill virtually any malicious objective.
When it comes to privilege escalation in Windows / Active Directory, there are fundamentally two ways to escalate privilege - privilege escalation based on the capture and replay of hashes, and privilege escalation based on performing (a few) password resets (i.e. based on identification and exploitation of excessive permissions granted on Active Directory content such as admin accounts and groups.)
The first way i.e. privilege escalation based on the capture and replay of hashes (PtH) is well-known and commonly-used, and thankfully is steadily becoming harder to use, as organizations understand how to avoid being victimized i.e. essentially, prevent their admins from logging on to untrustworthy machines.
The second way i.e. Active Directory privilege escalation based on performing (a few) password resets, is steadily increasing as hackers become savvier about Active Directory security, and are able to identify and exploit privilege escalation paths with moderate effort. (With the right tools , this too is child's play.)
The cardinal difference between these two ways is that whereas the former absolutely requires that an administrator logs on to a machine owned by the attacker, the latter has no such requirement, and in fact can be enacted from any machine. NOW, if an administrator NEVER logs on to the computer owned by the attacker, the attacker can sit and wait and grow old and will not be successful. However, with the latter, the attacker can use any computer/account to identify and exploit these privilege escalation paths, and once identified escalate his/her privilege within minutes.
Amongst these two ways, privilege escalation based on password resets poses a far greater threat to organizations worldwide than privilege escalation based on the capture and replay of hashes, because it doesn't require the victim to logon to any specific machine, and because virtually any insider (i.e. anyone with a simple Active Directory account) could with some basic knowledge and tooling engage in it to obtain all-powerful administrative access within minutes.
Microsoft's recent acquisition of a little start-up called Aorato may be a step in the right direction towards helping organizations detect the occurrence of privilege escalation based on the capture and replay of hashes, but it still leaves organizations vulnerable to privilege escalation attacks based on (i.e. involving the identification and exploitation of excessive permissions in Active Directory that can be enacted by performing) password resets. Fortunately, our patented technology is helping organizations worldwide minimize the possibility of successful privilege escalation attacks involving password resets.
Why is Administrative Access Such a Big Deal?
Obtaining administrative access is a HUGE deal because once you have administrative access, you not only have virtually unrestricted access to just about every resource in the system, you are also a part of what is commonly referred to as the Trusted Computing Base (TCB) of the system, and once you're a part of the TCB, you can not only control the security of the entire system, you can also circumvent any additional control that might have been put in place to stop you.
In addition, in every system, default security specifications grant the administrators complete and unrestricted access. This is done so as to be able to provide the administrators the ability to control that system at all times.
For instance, in an Active Directory deployment, the default security on every domain-joined machine grants Domain Admins full control across all resource managers on that machine, as well as virtually all the privileges required to obtain access to and control the entire domain-joined machine.
So for instance, once you're a Domain Admin in an Active Directory deployment, you can obtain access to virtually every IT resource (file, folder, database, process, service etc.) on any domain-joined machine in that Active Directory forest. So, of course, by default you'd also have access to any and every server that is domain-joined, such as and not limited to Exchange Servers, File servers, Database servers, Application servers, LOB servers, PKI Servers etc., and of course all files and folders on any domain-joined client machine, e.g. the laptop or desktop of virtually every employee in the organization, including the CEO, CFO, CIO, CISO etc. In other words, you have access to virtually everything.
This is why administrative access is a HUGE deal, and this is why organizations must leave no stone unturned in minimizing the number of administrative personnel to a bare minimum. Fortunately, all mature commercial operating systems (e.g. Microsoft Windows Server) provide the means to delegate a majority of all administrative responsibilities to lesser privileged administrators, and organizations should leverage the ability to delegate administrative functions to the extent they can.
At the end of the day, once you're an administrator, you have sufficient power to be able to control the security of the entire system. When you're consider a system like the IT infrastructure of a $20B company, you could potentially (positively or negatively) impact more than $20B, if one includes the cost of intangible losses one could inflict.
Unaudited Delegated Administrative Access Grants - Low-hanging Fruit for Hackers
One often overlooked area of cyber security is that of delegated administrative access in Active Directory deployments. By delegated administrative access, I am referring to administrative access delegations that are provisioned in Active Directory deployments for the purpose of separating and/or distributing responsibilities for vital areas of IT management. Examples of such areas include account management, group management and access management.
Active Directory makes it very easy to delegate access, and thus most organizations leverage this capability to ease IT management. In most organizations, IT departments have delegated varying levels of access to numerous IT personnel, whether directly, or via group memberships. Delegation of administration is a very useful and powerful capability that if correctly used, could substantially help organizations minimize the number of highly privileged administrators in Active Directory, and thus help them reduce the risk associated with the compromise of a highly privileged Active Directory administrative account.
There is one challenge associated with delegation though which is that although it is easy to delegate access precisely, it is very difficult to assess delegated access precisely, and over time, the state of effective delegated access can change, resulting in a situation wherein many more individuals than should ideally have been delegated specific types of access end up having such access.
This results in a situation wherein many individuals end up being entitled to and having powerful, delegated unauthorized access, which can then be easily misused to compromise organizational security.
For example, a group called Privileged Account Managers could have been delegated the ability to manage administrative accounts, and thus be able to carry out sensitive tasks like being able to reset the password of all Domain Admins. Over time, someone could directly or indirectly, and intentionally or inadvertently modify the membership of this group resulting in a situation wherein more individuals than were initially assigned to this group are now able to carry out these management tasks on these privileged accounts as well.
For instance, someone could accidentally or intentionally make another group called HQ Local Admins a member of this Privileged Account Managers group, resulting in a situation wherein all members of the former group would now also have the same rights as the latter group, and thus also be able to manage the organization's privileged accounts. These changes, and their impact can sometimes be hard to detect, assess and visualize, resulting in a situation wherein many more individuals than expected end up having escalated levels of privilege which could be accidentally or intentionally misused to inflict damage. In this case, the damage could be the compromise of one of the organization's privilege Domain Admin accounts, and the impact of such a compromise could be, well... we all know what happened at Sony.
This is why delegated administrative access rights are also very important to keep an eye on, because left as is, they could potentially be the weakest link in an organization's cyber security defenses. Fortunately, today solving the delegation audit challenge too has become as easy as touching a button, so organizations can safely use delegation to minimize the number of highly privileged administrative accounts in their Active Directory.
Could This Have Been Prevented?
Cyber security is fundamentally about risk management in computer systems, and any cyber security expert worth his salt will tell that you can never mitigate a 100% of the risk; you can mitigate much of it but not all of it, and you have to manage the part you can't mitigate.
In other words, no one can say with absolute certainty that such a security incident could have been completely prevented.
What I will say, is that with adequate security measures in place, i.e. a combination of adequate security policies, procedures and controls, the likelihood of Sony witnessing a security incident of this magnitude could have been highly minimized.
Organizations around the world can learn from what happened at Sony, and enact adequate risk mitigation measures in a timely manner to minimize the likelihood of hackers being able to pull of an attack of such a devastating magnitude in their IT environments.
5 Risk Mitigation Measures Sony Could have Taken to Reduce their Exposure
Here are 5 risk mitigation measures that the Sony could have taken, and that other organizations can take today, to prevent the occurrence of a security incident of this magnitude -
1. Reduce the number of Active Directory administrative personnel to a bare minimum, by separating, distributing and delegating all non-administrative responsibilities amongst and to a large number of relatively less-privileged administrators. For more information on how to do so, please refer to Microsoft's official best-practice guide on Delegation of Administration.
2. Ensure that all administrative delegations in Active Directory adhere to the principal of least privilege. This is very important because unless this is done, perpetrators could compromise a delegated administrator's account and use it to elevate their privilege to that of a Domain Admin. For more information on how to do so, please click here.
3. Afford the highest protection to all Active Directory administrative personnel and groups. This involves protecting these accounts from all avenues of credential compromise (some of them are listed below) as well as assigning dedicated computers for each of these administrative personnel.
4. Ensure that only equally trustworthy individuals can manage these Active Directory administrative personnel and groups. For example, ensure that only equally trustworthy individuals and no delegated administrators have the ability to reset the passwords of these accounts, change critical settings on these accounts (e.g. the userAccountControl attribute), unlock these accounts should they become locked, as well as change/modify the group memberships of any administrative groups (e.g. the Domain Admins group), create and link a GPO to the OU in which the computer account of these admins is stored, as well as manage the OUs in which these user & computer accounts/groups are stored.
5. Use auditing to audit the enactment of management tasks on Active Directory administrative personnel accounts, their computer accounts and Active Directory administrative groups, as well as audit changes in security permissions on any of these objects and on the OUs in which they reside.
Also, any time an Active Directory administrative account holder find that his/her password is not working, before simply getting it reset, investigate and find out whether or not someone reset his/her password, because if someone did so, chances are that they were in the midst of engaging in Active Directory Privilege Escalation.
In addition to the above, organizations can and should certainly invest in deploying additional security controls to add additional layers of security for their IT resources. However, it must be noted and understood that no matter how many layers you deploy, you CANNOT prevent the administrator of a system from being able to circumvent/disable any such deployed control, because he/she is by definition an administrator of the system, and is thus a part of the system's Trusted Computing Base (TCB).
Further Simplified - 5 Simple Risk Reduction Steps
In case the above risk mitigation measures seem too much to enact immediately, here are 5 simple steps that organizations can take today to reduce their exposure and mitigate this risk -
Identify every single administrative account and group in your Active Directory (AD)
Identify every single individual that can manage every AD admin account and group
Reduce the number of individuals on these 2 lists to a bare minimum.
Ensure that only the most trustworthy individuals are on these 2 lists
Designate a unique specific computer for logon/use for each of these individuals
Having done so, establish a schedule (weekly, fortnightly or monthly) to audit both, the list of admin accounts and groups, as well as the list of all individuals who can manage them.
Examples of such groups include Enterprise Admins, Domain Admins etc., and examples of management tasks include who can reset their passwords, unlock these accounts, modify these groups memberships, modify permissions on these accounts and group memberships etc.
For more details and specific risk-mitigation guidance, click here.
Tip 1: Design and use a simple in-house script that shows each administrator the last time (and target computer) at (and for) which a Kerberos ticket was issued for him/her, helping him/her identify whether or not his/her account has been compromised and may currently be in simultaneous use.
Note: As stated above, organizations should additionally implement other controls as well, but the above mentioned steps are essential because no matter what additional controls are in place, by definition, a system's administrators are part of the system's Trusted Computing Base (TCB) and can thus almost always circumvent and/or disable any additional controls that are in place.
Common Account Compromise Avenues
Here are some common ways in which someone could attempt to compromise an administrative account -
Guess the user's password
Brute-force the user's password
Obtain access to hashes and compare hashes to infer his password
Deploy key-stroke logging software on the user's computer to capture his password
Social engineer the user to enter his password on a fake website, and capture that entry
Social engineer the user to logon to a compromised computer and capture his hash
Reset the user's password
Coerce the user to giving you his password
Interestingly, of all the ways listed, the easiest way to compromise an administrator's account is to reset his password.
Here's why -
Most organizations have account lockout policies in place, making password guessing and brute-forcing difficult. Obtaining access to hashes requires physical(+system) access to a DC, which is not very easy to obtain. Deploying a keystroke logger requires you to obtain system access to the admin's computer (since you need the privilege to install a driver, and that may or may not be easy. Social engineering a user to enter his password on a fake site and/or logon to a compromised computer will require some social engineering skill. Coercing the user will most likely involve physical intimidation and thus thus require physical access to the user.
In contrast, a password reset can be performed from half way around the world in about 30 seconds, just as long as you have sufficient effective permissions to reset the user's password. With a little bit of creativity and the right tools, such permissions can usually be obtained rather quickly. (It turns out that it is very difficult to accurately assess who can reset whose passwords, so organizations are seldom able to accurately assess and thus precisely control who can reset whose passwords, as a result of which many more individuals than should be able to, can actually reset someone's password.)
Penetration Testing - Overrated
Folks, whether you turn on your Television sets or look at the media coverage of the Sony Hack online, you'll find many self-proclaimed cyber-security experts opine on the subject. You'll also find some cyber-security companies, particularly those in the penetration testing space, trying to claim that penetration-testing could have helped Sony prevent this. That's lame.
You see, a penetration test is merely a tactical security measure designed to assess an organization's security defenses at a given point in time. While the findings of a penetration test can certainly help identify specific areas for improvement, by itself it is not the "fix" itself, and it only gives you a moment in time assessment. (Besides, a cyber-security company / professional's penetration testing capabilities depend on their skill-set and tool-set, and even the world's leading penetration testing companies are novices at best when it comes to assessing the myriad of advanced ways in which a malicious insider could gain administrative access in Active Directory.)
In essence, penetration testing could at best help you identify your security worthiness at a given point in time, and given how rapidly the state of access changes in an environment, the value of a pen test is rather limited in contrast your ability to actually "fix" the problem i.e. in this case, minimize the number of highly privileged administrative personnel in your Active Directory deployment.
Colossal Impact
What happened at Sony was tantamount to a complete and system-wide compromise of an organization's IT infrastructure.
Trying to put a price on the cost of this security incident is very difficult. Suffice it to say that in the long run, it could potentially exceed the net worth of the organization, if you take into account, not just the lawsuits that they're now going to face, but more so the intangible loss i.e. the loss of trust, damage to reputation, etc. etc.
In addition, if their IP was stolen as well, it could really impact their ability to stay competitive, and because the products they develop and sell operate largely in commoditized spaces, the loss of IP could have profound implications on their business in the long run.
If this is not enough to be a wake-up call for the rest of the world, I don't know what else can drive home the point any better.
Reiterated This A Year Ago
This isn't rocket-science; it's common-sense. But perhaps, as they say, common sense is not so common. At Paramount Defenses, we saw this coming years ago, and in addition to documenting this in The Paramount Brief, I reiterated this in this blog entry last year. (The text in red italics below are quotes from that old blog post.)
"It is SO powerful that one who knows how to exploit it can use it to instantly take over virtually any Microsoft Windows Server based IT infrastructure in the world." In this case, the IT infrastructure was that of Sony's, and the perpetrators did take it over.
"With sufficient effort, it can also be used to develop an exploit that can then be packaged into a malicious payload that can automate the disruption / destruction of any Active Directory deployment of choice within hours to days." As you may know, at Sony, the hackers deployed malware to disrupt virtually all of Sony's computers.
"Once determined, this information can be easily used to perform single/multi step privilege escalations and ultimately gain varying levels of, and usually complete, administrative access...Once an attacker has gained Domain Admin access in your environment, he could do whatever he/she wants." U.S. officials that were briefed on the investigation told CNN that "U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, allowing them broad access"
"...once you have compromised his account, you're a minute away from owning the kingdom...The attack surface is vast, and the prize is the coveted "keys to the kingdom"." The same U.S. officials also said that "The hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have "keys to the entire building,"."
I could share many more quotes from that blog entry, but out of respect for your time (and mine), I'll share just these two pertinent ones...
"So you see, virtually every IT resource in the Active Directory is a potential target. I'll say this again - technically ANYONE with a Domain User account could take HOURS/DAYS/WEEKS to determine effective access in your environment, and find privilege escalation paths, and when he has, at a time of his choice, he could make his move i.e. WITHIN MINUTES, exploit the identified privilege escalation paths to take over the entire IT infrastructure."
and, finally...
"...imagine what a foreign government can do with 1000s of personnel devoted to building something like this, especially if you consider what is at stake, and what can be had."
Well, my 10 minute timer just rang, so this will have to end right here. But, just one more thing...
Who's Next? (Every Organization is Vulnerable - The Whole World Sitting on a Ticking Bomb?)
As I mentioned above, what (most likely) happened at Sony was rather simple - hackers compromised a single administrative account, then used that access to obtain virtually unrestricted access to and steal a colossal amount of corporate data, and finally used the stolen data to wreak havoc for the organization. To rub it in, they went a mile further to develop and deploy malware that destroyed a majority's of Sony's computers.
Sadly, ONE Active Directory administrative account is all one needs to carry this out. Just ONE.
Speaking of which, since over 85% of the world operates on Active Directory, and in 99% of these IT infrastructures, not only do these organizations have absolutely no idea as to exactly how many administrative accounts and groups they have in Active Directory, they also seem to have no idea as to exactly who is delegated what access on their Active Directory administrative accounts and groups, the following song featured in the movie November Man comes to mind...
(You can click on play above, or if you prefer, view it on YouTube here.)
From the world's most powerful governments to the world's top business organizations, over 85% of the world is vulnerable today, and as hackers become sophisticated, unless organizations start to take this SERIOUSLY, anyone could be next.
Incidentally, a year ago, I ended that blog post with the following words... "Unaddressed though, it is a ticking time-bomb..."
